Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-02-02 18:44:49 -05:00
Code Issues Packages Projects Releases Wiki Activity

ci: fix workflows

Browse Source 
Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
This commit is contained in:
Paul Meyer 2022-11-11 14:49:16 +01:00
parent 38cc2c1ab0
commit 09969afd57
17 changed files with 74 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.github/actions/generate_measurements/action.yml vendored
View File

@ -50,8 +50,8 @@ inputs:
description: "The resource group to use"
required: false
azureUserAssignedIdentity:
description: "The Azure user assigned identity to use for Constellation."
required: false
description: "The Azure user assigned identity to use for Constellation."
required: false
cosignPublicKey:
description: "Cosign public key to sign measurements."
required: true
@ -74,6 +74,11 @@ inputs:
description: "AWS S3 bucket name to upload measurements."
required: true
outputs:
kubeconfig:
description: "Kubeconfig file of the created cluster."
value: ${{ steps.create-cluster.outputs.kubeconfig }}
runs:
using: "composite"
steps:
@ -95,6 +100,7 @@ runs:
if: ${{ inputs.cloudProvider == 'gcp' }}
- name: Create cluster
id: create-cluster
uses: ./.github/actions/constellation_create
with:
cloudProvider: ${{ inputs.cloudProvider }}

2
.github/workflows/azure-snp-reporter.yml vendored
View File

@ -75,4 +75,4 @@ jobs:
- name: Verify report
shell: bash
run: go run ./hack/azure-snp-report-verify/verify.go $(cat ./maa-report.jwt)
run: go run ./hack/azure-snp-report-verify/verify.go "$(cat ./maa-report.jwt)"

6
.github/workflows/build-micro-service-manual.yml vendored
View File

@ -45,11 +45,11 @@ jobs:
run: |
case "${{ inputs.microService }}" in
"join-service" )
echo "microServiceDockerfile=joinservice/Dockerfile" >> $GITHUB_ENV ;;
echo "microServiceDockerfile=joinservice/Dockerfile" >> "$GITHUB_ENV" ;;
"kmsserver" )
echo "microServiceDockerfile=kms/Dockerfile" >> $GITHUB_ENV ;;
echo "microServiceDockerfile=kms/Dockerfile" >> "$GITHUB_ENV" ;;
"verification-service" )
echo "microServiceDockerfile=verify/Dockerfile" >> $GITHUB_ENV ;;
echo "microServiceDockerfile=verify/Dockerfile" >> "$GITHUB_ENV" ;;
esac
- name: Build and upload container image

60
.github/workflows/build-os-image.yml vendored
View File

@ -55,8 +55,10 @@ jobs:
- name: Collect hashes
id: collect-hashes
run: |
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)" >> $GITHUB_OUTPUT
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)" >> $GITHUB_OUTPUT
{
echo "bootstrapper-sha256=$(sha256sum bootstrapper | head -c 64)"
echo "disk-mapper-sha256=$(sha256sum disk-mapper | head -c 64)"
} >> "$GITHUB_OUTPUT"
working-directory: ${{ github.workspace }}/build
build-settings:
@ -82,12 +84,12 @@ jobs:
run: |
if [ "${{ startsWith(github.ref, 'refs/heads/release/') && (inputs.debug == false) }}" = true ]
then
echo "imageType=release" >> $GITHUB_OUTPUT
echo "imageType=release" >> "$GITHUB_OUTPUT"
elif [ "${{ ((github.ref == 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/')) && (inputs.debug == true) }}" = true ]
then
echo "imageType=debug" >> $GITHUB_OUTPUT
echo "imageType=debug" >> "$GITHUB_OUTPUT"
else
echo "imageType=branch" >> $GITHUB_OUTPUT
echo "imageType=branch" >> "$GITHUB_OUTPUT"
fi
- name: Determine PKI set
@ -96,9 +98,9 @@ jobs:
run: |
if [ "${{ steps.image-type.outputs.imageType }}" = "release" ]
then
echo "pkiSet=pki_prod" >> $GITHUB_OUTPUT
echo "pkiSet=pki_prod" >> "$GITHUB_OUTPUT"
else
echo "pkiSet=pki_testing" >> $GITHUB_OUTPUT
echo "pkiSet=pki_testing" >> "$GITHUB_OUTPUT"
fi
make-os-image:
@ -170,8 +172,8 @@ jobs:
id: prepare-pki
shell: bash
run: |
echo "${DB_KEY}" > ${PKI_SET}/db.key
ln -s ${PKI_SET} pki
echo "${DB_KEY}" > "${PKI_SET}/db.key"
ln -s "${PKI_SET}" pki
working-directory: ${{ github.workspace }}/image
env:
PKI_SET: ${{ needs.build-settings.outputs.pkiSet }}
@ -192,14 +194,16 @@ jobs:
- name: Collect hashes
id: collect-hashes
run: |
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)" >> $GITHUB_OUTPUT
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)" >> $GITHUB_OUTPUT
echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)" >> $GITHUB_OUTPUT
echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)" >> $GITHUB_OUTPUT
echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)" >> $GITHUB_OUTPUT
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)" >> $GITHUB_OUTPUT
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)" >> $GITHUB_OUTPUT
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)" >> $GITHUB_OUTPUT
{
echo "image-raw-${{ matrix.csp }}-sha256=$(sha256sum image.raw | head -c 64)"
echo "image-efi-${{ matrix.csp }}-sha256=$(sha256sum image.efi | head -c 64)"
echo "image-initrd-${{ matrix.csp }}-sha256=$(sha256sum image.initrd | head -c 64)"
echo "image-root-raw-${{ matrix.csp }}-sha256=$(sha256sum image.root.raw | head -c 64)"
echo "image-root-verity-${{ matrix.csp }}-sha256=$(sha256sum image.root.verity | head -c 64)"
echo "image-vmlinuz-${{ matrix.csp }}-sha256=$(sha256sum image.vmlinuz | head -c 64)"
echo "image-raw-changelog-${{ matrix.csp }}-sha256=$(sha256sum image.raw.changelog | head -c 64)"
echo "image-raw-manifest-${{ matrix.csp }}-sha256=$(sha256sum image.raw.manifest | head -c 64)"
} >> "$GITHUB_OUTPUT"
working-directory: ${{ github.workspace }}/image/mkosi.output.${{ matrix.csp }}/fedora~36
continue-on-error: true
@ -314,9 +318,9 @@ jobs:
- name: Download VMGS blob
run: |
aws s3 cp \
--region ${AZURE_VMGS_REGION} \
s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs \
--region "${AZURE_VMGS_REGION}" \
"s3://constellation-secure-boot/${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
"${PKI_SET}/${AZURE_SECURITY_TYPE}.vmgs" \
--no-progress
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' && !endsWith(env.AZURE_SECURITY_TYPE, 'Supported') }}
@ -331,7 +335,7 @@ jobs:
echo "::group::Upload AWS image"
secure-boot/aws/create_uefivars.sh "${AWS_EFIVARS_PATH}"
upload/upload_aws.sh "${AWS_AMI_OUTPUT}"
echo -e "Uploaded AWS image: \`\`\`$(cat "${AWS_AMI_OUTPUT}" | jq)\`\`\`" >> $GITHUB_STEP_SUMMARY
echo -e "Uploaded AWS image: \`\`\`$(jq < "${AWS_AMI_OUTPUT}")\`\`\`" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'aws' }}
@ -353,7 +357,7 @@ jobs:
echo "::group::Upload GCP image"
upload/pack.sh gcp "${GCP_RAW_IMAGE_PATH}" "${GCP_IMAGE_PATH}"
upload/upload_gcp.sh
echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> $GITHUB_STEP_SUMMARY
echo -e "Uploaded GCP image: \`projects/${GCP_PROJECT}/global/images/${GCP_IMAGE_NAME}\`" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'gcp' }}
@ -374,7 +378,7 @@ jobs:
echo "::group::Upload Azure image"
upload/pack.sh azure "${AZURE_RAW_IMAGE_PATH}" "${AZURE_IMAGE_PATH}"
upload/upload_azure.sh -g --disk-name "${AZURE_DISK_NAME}" "${AZURE_VMGS_PATH}"
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> $GITHUB_STEP_SUMMARY
echo -e "Uploaded Azure ${AZURE_SECURITY_TYPE} image: \`/subscriptions/0d202bbb-4fa7-4af8-8125-58c269a05435/resourceGroups/${AZURE_RESOURCE_GROUP_NAME^^}/providers/Microsoft.Compute/galleries/${AZURE_GALLERY_NAME}/images/${AZURE_IMAGE_DEFINITION}/versions/${AZURE_IMAGE_VERSION}\`" >> "$GITHUB_STEP_SUMMARY"
echo "::endgroup::"
working-directory: ${{ github.workspace }}/image
if: ${{ matrix.csp == 'azure' }}
@ -426,9 +430,11 @@ jobs:
- name: Calculate expected PCRs
run: |
echo "::group::Calculate expected PCRs"
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY
./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }} >> $GITHUB_STEP_SUMMARY
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json >> $GITHUB_STEP_SUMMARY
{
./precalculate_pcr_4.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-4-${{ matrix.csp }}.json
./precalculate_pcr_8.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-8-${{ matrix.csp }}.json ${{ matrix.csp }}
./precalculate_pcr_9.sh ${{ github.workspace }}/image.raw ${{ github.workspace }}/pcr-9-${{ matrix.csp }}.json
} >> "$GITHUB_STEP_SUMMARY"
cp pcr-stable.json ${{ github.workspace }}/
jq --sort-keys -s '.[0] * .[1] * .[2] * .[3]' ${{ github.workspace }}/pcr-* > ${{ github.workspace }}/pcrs-${{ matrix.csp }}.json
echo "::endgroup::"
@ -522,4 +528,4 @@ jobs:
${{ needs.make-os-image.outputs.image-vmlinuz-qemu-sha256 }} qemu/image.vmlinuz
EOF
cat SHA256SUMS
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> $GITHUB_STEP_SUMMARY
echo -e "SHA256SUMS:\n\`\`\`\n$(cat SHA256SUMS)\n\`\`\`" >> "$GITHUB_STEP_SUMMARY"

4
.github/workflows/e2e-test-daily.yml vendored
View File

@ -45,8 +45,8 @@ jobs:
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location northeurope --name $name --tags e2e
echo "res_group_name=$name" >> $GITHUB_OUTPUT
az group create --location northeurope --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Run E2E test
id: e2e_test

6
.github/workflows/e2e-test-manual-macos.yml vendored
View File

@ -120,8 +120,8 @@ jobs:
run: |
uuid=$(uuidgen)
name=e2e-test-${uuid%%-*}
az group create --location westus --name $name --tags e2e
echo "res_group_name=$name" >> $GITHUB_OUTPUT
az group create --location westus --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Set up gcloud CLI
if: ${{ github.event.inputs.cloudProvider == 'gcp' }}
@ -154,7 +154,7 @@ jobs:
continue-on-error: true
uses: ./.github/actions/constellation_destroy
with:
cloudProvider: ${{ steps.e2e_test.outputs.kubeconfig }}
kubeconfig: ${{ steps.e2e_test.outputs.kubeconfig }}
- name: Notify teams channel
if: ${{ failure() && github.ref == 'refs/heads/main' }}

4
.github/workflows/e2e-test-manual.yml vendored
View File

@ -85,8 +85,8 @@ jobs:
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location westus --name $name --tags e2e
echo "res_group_name=$name" >> $GITHUB_OUTPUT
az group create --location westus --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Run manual E2E test
id: e2e_test

4
.github/workflows/e2e-test-weekly.yml vendored
View File

@ -65,8 +65,8 @@ jobs:
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location northeurope --name $name --tags e2e
echo "res_group_name=$name" >> $GITHUB_OUTPUT
az group create --location northeurope --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Run E2E test
id: e2e_test

7
.github/workflows/generate-measurements.yml vendored
View File

@ -53,10 +53,11 @@ jobs:
run: |
uuid=$(cat /proc/sys/kernel/random/uuid)
name=e2e-test-${uuid%%-*}
az group create --location westus --name $name --tags e2e
echo "res_group_name=$name" >> $GITHUB_OUTPUT
az group create --location westus --name "$name" --tags e2e
echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
- name: Create Cluster & Generate Measurements
id: create_and_measure
uses: ./.github/actions/generate_measurements
with:
cloudProvider: ${{ github.event.inputs.cloudProvider }}
@ -83,6 +84,8 @@ jobs:
if: always()
continue-on-error: true
uses: ./.github/actions/constellation_destroy
with:
kubeconfig: ${{ steps.create_and_measure.outputs.kubeconfig }}
- name: Always destroy Azure resource group
if: ${{ always() && github.event.inputs.cloudProvider == 'azure' }}

2
.github/workflows/release-cli.yml vendored
View File

@ -84,7 +84,7 @@ jobs:
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
./grype version
echo $(pwd) >> $GITHUB_PATH
pwd >> "$GITHUB_PATH"
shell: bash
- name: Build signed SBOMs

4
.github/workflows/test-govulncheck.yml vendored
View File

@ -41,10 +41,10 @@ jobs:
run: |
mods=$(go list -f '{{.Dir}}/...' -m | xargs)
echo "Found mods: $mods"
echo "submods=${mods}" >> $GITHUB_OUTPUT
echo "submods=${mods}" >> "$GITHUB_OUTPUT"
- name: Govulncheck
shell: bash
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
GOMEMLIMIT=5GiB govulncheck $(go list -f '{{.Dir}}/...' -m | xargs)
GOMEMLIMIT=5GiB govulncheck "$(go list -f '{{.Dir}}/...' -m | xargs)"

2
.github/workflows/test-lint.yml vendored
View File

@ -46,7 +46,7 @@ jobs:
run: |
mods=$(go list -f '{{.Dir}}/...' -m | xargs)
echo "Found mods: $mods"
echo "submods=${mods}" >> $GITHUB_OUTPUT
echo "submods=${mods}" >> "$GITHUB_OUTPUT"
- name: golangci-lint
uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1 # tag=v3.3.0

2
.github/workflows/test-operator-codegen.yml vendored
View File

@ -35,7 +35,7 @@ jobs:
run: |
dirs=$(find . \! -name . -prune -type d)
for dir in $dirs; do
(cd $dir; make manifests generate)
(cd "$dir"; make manifests generate)
done
- name: Check diff and fail on changes

6
.github/workflows/test-tf.yml vendored
View File

@ -32,8 +32,8 @@ jobs:
result=0
for dir in $dirs; do
echo "Checking $dir"
terraform -chdir=$dir init || result=1
terraform -chdir=$dir fmt -check=true -diff=true || result=1
terraform -chdir=$dir validate -no-color || result=1
terraform -chdir="$dir" init || result=1
terraform -chdir="$dir" fmt -check=true -diff=true || result=1
terraform -chdir="$dir" validate -no-color || result=1
done
exit $result

2
.github/workflows/test-tfsec.yml vendored
View File

@ -36,4 +36,4 @@ jobs:
- name: tfsec summary
shell: bash
run: cat results.text | tail -n 27 >> $GITHUB_STEP_SUMMARY
run: tail -n 27 results.text >> "$GITHUB_STEP_SUMMARY"

5
.github/workflows/test-tidy.yml vendored
View File

@ -38,7 +38,7 @@ jobs:
run: |
mods=$(go list -f '{{.Dir}}' -m | xargs)
echo "Found mods: $mods"
echo "submods=${mods}" >> $GITHUB_OUTPUT
echo "submods=${mods}" >> "$GITHUB_OUTPUT"
- name: Go tidy check
id: tidycheck
@ -54,7 +54,8 @@ jobs:
if: ${{ failure() && (steps.tidycheck.conclusion == 'failure') && startsWith(github.head_ref, 'renovate/') }}
shell: bash
run: |
for mod in ${{ steps.submods.outputs.submods }}; do
mods=${{ steps.submods.outputs.submods }}
for mod in $mods; do
(cd $mod; go mod tidy)
done

6
.github/workflows/update-cli-reference.yml vendored
View File

@ -31,12 +31,12 @@ jobs:
- name: Get commit sha
run: |
echo "COMMIT_END=$(echo ${{ github.sha }} | cut -c1-8)" >> $GITHUB_ENV
echo "COMMIT_END=$(echo ${{ github.sha }} | cut -c1-8)" >> "$GITHUB_ENV"
- name: Check if action branch exists
run: |
ex=$(git ls-remote --heads origin action/constellation/update-cli-reference)
echo "EXISTS=$(if [ -z "$ex" ]; then echo 0; else echo 1; fi)" >> $GITHUB_ENV
ex="$(git ls-remote --heads origin action/constellation/update-cli-reference)"
echo "EXISTS=$(if [ -z "$ex" ]; then echo 0; else echo 1; fi)" >> "$GITHUB_ENV"
- name: Publish new reference (create new branch)
if: ${{ env.EXISTS == 0 }}